From: nramas <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
Stefan Berger <stefanb@linux.ibm.com>,
kernel test robot <lkp@intel.com>
Subject: Re: [PATCH v2] evm: output EVM digest calculation info
Date: Mon, 21 Jun 2021 08:58:44 -0700 [thread overview]
Message-ID: <2df02d43dd057e78c72bc341e6c24ce4d5f15a4b.camel@linux.microsoft.com> (raw)
In-Reply-To: <20210621010327.467523-1-zohar@linux.ibm.com>
On Sun, 2021-06-20 at 21:03 -0400, Mimi Zohar wrote:
> Output the data used in calculating the EVM digest and the resulting
> digest as ascii hexadecimal strings.
>
> Suggested-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> (CONFIG_DYNAMIC_DEBUG)
> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> Reported-by: kernel test robot <lkp@intel.com> (Use %zu for size_t)
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Changelog v1:
> - Use %zu for size_t
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
-lakshmi
>
> security/integrity/evm/evm_crypto.c | 43
> +++++++++++++++++++++++++++++
> security/integrity/evm/evm_main.c | 4 +++
> 2 files changed, 47 insertions(+)
>
> diff --git a/security/integrity/evm/evm_crypto.c
> b/security/integrity/evm/evm_crypto.c
> index 1628e2ca9862..bebe160c57b9 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -10,6 +10,8 @@
> * Using root's kernel master key (kmk), calculate the HMAC
> */
>
> +#define pr_fmt(fmt) "EVM: "fmt
> +
> #include <linux/export.h>
> #include <linux/crypto.h>
> #include <linux/xattr.h>
> @@ -175,6 +177,30 @@ static void hmac_add_misc(struct shash_desc
> *desc, struct inode *inode,
> type != EVM_XATTR_PORTABLE_DIGSIG)
> crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid,
> UUID_SIZE);
> crypto_shash_final(desc, digest);
> +
> + pr_debug("hmac_misc: (%zu) [%*phN]\n", sizeof(struct h_misc),
> + (int)sizeof(struct h_misc), &hmac_misc);
> +}
> +
> +/*
> + * Dump large security xattr values as a continuous ascii
> hexademical string.
> + * (pr_debug is limited to 64 bytes.)
> + */
> +static void dump_security_xattr(const char *prefix, const void *src,
> + size_t count)
> +{
> +#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
> + char *asciihex, *p;
> +
> + p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
> + if (!asciihex)
> + return;
> +
> + p = bin2hex(p, src, count);
> + *p = 0;
> + pr_debug("%s: (%zu) %.*s\n", prefix, count, (int)count * 2,
> asciihex);
> + kfree(asciihex);
> +#endif
> }
>
> /*
> @@ -230,6 +256,16 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> req_xattr_value_len);
> if (is_ima)
> ima_present = true;
> +
> + if (req_xattr_value_len < 64)
> + pr_debug("%s: (%zu) [%*phN]\n",
> req_xattr_name,
> + req_xattr_value_len,
> + (int)req_xattr_value_len,
> + req_xattr_value);
> + else
> + dump_security_xattr(req_xattr_name,
> + req_xattr_value,
> + req_xattr_value_len
> );
> continue;
> }
> size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr-
> >name,
> @@ -246,6 +282,13 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> crypto_shash_update(desc, (const u8 *)xattr_value,
> xattr_size);
> if (is_ima)
> ima_present = true;
> +
> + if (xattr_size < 64)
> + pr_debug("%s: (%zu) [%*phN]", xattr->name,
> xattr_size,
> + (int)xattr_size, xattr_value);
> + else
> + dump_security_xattr(xattr->name, xattr_value,
> + xattr_size);
> }
> hmac_add_misc(desc, inode, type, data->digest);
>
> diff --git a/security/integrity/evm/evm_main.c
> b/security/integrity/evm/evm_main.c
> index 977208aecd06..1c8435dfabee 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -11,6 +11,8 @@
> * evm_inode_removexattr, and evm_verifyxattr
> */
>
> +#define pr_fmt(fmt) "EVM: "fmt
> +
> #include <linux/init.h>
> #include <linux/crypto.h>
> #include <linux/audit.h>
> @@ -272,6 +274,8 @@ static enum integrity_status
> evm_verify_hmac(struct dentry *dentry,
> else
> evm_status = INTEGRITY_FAIL;
> }
> + pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length,
> digest.hdr.length,
> + digest.digest);
> out:
> if (iint)
> iint->evm_status = evm_status;
prev parent reply other threads:[~2021-06-21 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 1:03 [PATCH v2] evm: output EVM digest calculation info Mimi Zohar
2021-06-21 15:58 ` nramas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2df02d43dd057e78c72bc341e6c24ce4d5f15a4b.camel@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=lkp@intel.com \
--cc=roberto.sassu@huawei.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).